receiving CEF format log using filebeat cef module and send to logstash
While viewing the parsed results, I could see that there was an error tag.
"error": {
"message": [
"malformed value for filePath at pos 168",
"malformed value for attachment at pos 526",
"malformed value for Incident_SnapshotURL at pos 807"
]}
All other items have been parsed normally, and the common point of the filePath, attachment, and Incident_SnapshotURL where the error occurred is that there is "(" ")", and it is judged that an error has occurred.
origin message is
CEF:0|Symantec|DLP|15.5||주요키워드 탐지||Severity=4:정보 action=없음 Match_Count=4 Incident_ID=2726415 status=??? 신규 ??? appname=XXX.exe filePath=C:\\Users\\005034\\Desktop\\XX\\XXXXXX(1008)\\QAXX(1014)\\2020_10월 fname=2020년 10월_XX_XX XX_XX(XXXX)_ver2.xlsx msg=해당 없음 proto=XXXX XX XX XX XXX shost=X2X19X50X0-01 suser=해당 없음 suid=해당 없음 duser=해당 없음 dhost=해당 없음 attachment=C:\\Users\\005034\\Desktop\\XX\\XXXXXX(1008)\\QAXX(1014)\\2020_10월 _XX_XX XX_XX(XXXX)_ver2.xlsx Scan_Date=해당 없음 Incident_SnapshotURL=https://XXXX/ProtectManager/XXXXXXXXXXXX.do?value(variable_1)=incident.id&value(operator_1)=incident.id_in&value(operand_1)=2726415 Rules_Names=XXXXX DataOwner_Name=해당 없음 DataOwner_Email=해당 없음 Quaramtine_Parent_Path=해당 없음\u0000
can't parse "(" ")" in filebeat CEF module ????